On Thu, 2007-27-12 at 22:49 +0200, alex bodnaru wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > iain duncan wrote: > > On Thu, 2007-27-12 at 20:08 +0200, alex bodnaru wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > >> hi lee, > >> > >> thanks for your answer. > >> > >> you have pointed me to another issue. > >> > >> now i've made a widget, with the intention to display already formated > >> xhtml text segments. hence, i'd like not to escape the markup. > >> > >> XML() would work, if i prepend a valid xml header. i need to invoke a > >> function for that somewhere in the widget class or module. > >> > >> would you recommend a <?python ... ?> segment? > > > > On a related note, I found that using tidy and beautiful soup somewhere > > in the chain was worthwhile, it seems to be the most reliable way of > > making sure bad xhtml wouldn't throw an exception in the template > > rendering. I settled on a custom validator at the input boundary that > > ran tidy on the input and (optionally) used beautiful soup to look for > > bad tags. If tidy couldn't clean it up, the input got rejected. Then you > > can breath easy knowing XML() won't choke and that you have filtered out > > any tags you don't want for security reasons ( script, iframe, what > > not ). TinyMCE of course gives you converted html entities too, but can > > be bypassed if the user wants to. > > > > Iain > > > > > so you say i can write a validator on output as well?
Dunno about that, I was just chucking out the method I used to filter on input boundary in case it might be helpful. I believe you can use formencode any time you pass stuff from one function to another if you dig in enough, but you'd need better form encode gurus to answer that definitively. You could certainly use tidy and beautiful soup on output, if you need to. In my case, input happened rarely and output frequently so I moved all parsing into the input boundary to speed up views. hth Iain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
